MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f485c0ced1df9b72c676413a4fbf7dcb0ff502cb90932cfe4430c08d8c87de5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


ArkeiStealer


Vendor detections: 14


Intelligence 14 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f485c0ced1df9b72c676413a4fbf7dcb0ff502cb90932cfe4430c08d8c87de5
SHA3-384 hash: e65ebda218cb8b1a49d35a3b6411c67f1d45e81628c8f74a2beb1db1e9010606a218df69eec80adc967c1f90ed570db7
SHA1 hash: 3750742d25938f8cab8b98c3392f6cbdfd5b6a62
MD5 hash: bdb4e8663e6eb546a2bde8f8e3e9cdb4
humanhash: cold-fix-low-comet
File name:bdb4e8663e6eb546a2bde8f8e3e9cdb4.exe
Download: download sample
Signature ArkeiStealer
Create hunting rule
File size:7'966'208 bytes
First seen:2023-01-09 22:15:47 UTC
Last seen:2023-01-09 23:28:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 98304:NnlrXO62YF91hRx/NJVJ4syA9SGl9/GnkN7c:bbFD9/L/AsyATlJGkN7
TLSH T1D88644E9A8B37757DAE2ED673DF551A38241B2310400CACE0A8C6FDCA5F75A2098FD51
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:ArkeiStealer exe


Avatar
abuse_ch
ArkeiStealer C2:
http://49.12.113.110/

Intelligence

File Origin
# of uploads :
2
# of downloads :
194
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
cfd57a3bbe2a49525cc1ff6183cc2085.exe
Verdict:
Malicious activity
Analysis date:
2023-01-07 11:27:33 UTC
Tags:
trojan loader smoke amadey rat redline evasion stealer vidar
Link:
https://app.any.run/tasks/f61df537-ea76-4113-87cc-9b9b583198de

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/351297/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm
Link:
https://www.filescan.io/uploads/63bc922583a5ae8cb4a837a8/reports/792284c5-4462-404d-b701-eaa0756770f1/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Private Blackberry Internal
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33041df2-db69-4da2-991f-224feae32cb7
Result
Threat name:
Vidar
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1148348
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Yara detected Vidar stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 781080 Sample: 1NBqFPVcA7.exe Startdate: 09/01/2023 Architecture: WINDOWS Score: 100 62 Malicious sample detected (through community Yara rule) 2->62 64 Antivirus detection for URL or domain 2->64 66 Antivirus / Scanner detection for submitted sample 2->66 68 7 other signatures 2->68 8 1NBqFPVcA7.exe 4 2->8         started        11 svchost.exe 2->11         started        14 svchost.exe 3 2->14         started        16 10 other processes 2->16 process3 file4 48 C:\...\build_2023-01-06_10-15_protected.exe, PE32 8->48 dropped 50 C:\Users\user\AppData\...\SteamSetup.exe, PE32 8->50 dropped 52 C:\Users\user\AppData\...\1NBqFPVcA7.exe.log, CSV 8->52 dropped 18 build_2023-01-06_10-15_protected.exe 17 8->18         started        22 SteamSetup.exe 16 70 8->22         started        78 Changes security center settings (notifications, updates, antivirus, firewall) 11->78 25 MpCmdRun.exe 11->25         started        80 Query firmware table information (likely to detect VMs) 14->80 signatures5 process6 dnsIp7 56 t.me 149.154.167.99, 443, 49701 TELEGRAMRU United Kingdom 18->56 58 49.12.113.110, 49702, 80 HETZNER-ASDE Germany 18->58 70 Detected unpacking (changes PE section rights) 18->70 72 Detected unpacking (overwrites its own PE header) 18->72 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->74 76 3 other signatures 18->76 27 cmd.exe 18->27         started        60 192.168.2.1 unknown unknown 22->60 40 C:\Program Files (x86)\Steam\uninstall.exe, PE32 22->40 dropped 42 C:\Program Files (x86)\...\SteamService.exe, PE32 22->42 dropped 44 C:\Program Files (x86)\Steam\Steam.exe, PE32 22->44 dropped 46 5 other files (none is malicious) 22->46 dropped 29 SteamService.exe 20 3 22->29         started        32 conhost.exe 25->32         started        file8 signatures9 process10 file11 34 conhost.exe 27->34         started        36 timeout.exe 27->36         started        54 C:\Program Files (x86)\...\steamservice.exe, PE32 29->54 dropped 38 conhost.exe 29->38         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f485c0ced1df9b72c676413a4fbf7dcb0ff502cb90932cfe4430c08d8c87de5/
Threat name:
ByteCode-MSIL.Backdoor.Mokes
Create hunting rule
Status:
Malicious
First seen:
2023-01-07 17:09:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
33 of 41 (80.49%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r5efydhndx43oldhmqj2j67x3syp6ubmxeetft7eimgarwgipxsq._file
Verdict:
malicious
Result
Malware family:
vidar
Create hunting rule
Score:
  10/10
Tags:
family:vidar botnet:494 discovery spyware stealer
Link:
https://tria.ge/reports/230109-16sdvabd6z/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Vidar
Malware Config
C2 Extraction:
https://t.me/year2023start
https://steamcommunity.com/profiles/76561199467421923
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ae751b93-b835-47dd-982a-cd2f7e23dccf
Unpacked files
SH256 hash:
7b51372117960e84d6f5eb3a26810cc044ff02283b3d656a0a456b0ab5cb8ea7
MD5 hash:
c5b9fe538654a5a259cf64c2455c5426
SHA1 hash:
db45505fa041af025de53a0580758f3694b9444a
Link:
https://www.unpac.me/results/383d7b02-a63a-432e-9ed1-94084f42feec/
SH256 hash:
9a88bccecb259132fab9a4f1772aad101941ec94a6dc4066f682ea98a8e7bb5c
MD5 hash:
0a3e96735158c2cfc4428be229bc5dd3
SHA1 hash:
c55008fe4406c21e8ec464eb8b8e896a9360f689
Link:
https://www.unpac.me/results/383d7b02-a63a-432e-9ed1-94084f42feec/
SH256 hash:
067c77d51df034b4a614f83803140fbf4cd2f8684b88ea8c8acdf163edad085a
MD5 hash:
0d45588070cf728359055f776af16ec4
SHA1 hash:
c4375ceb2883dee74632e81addbfa4e8b0c6d84a
Link:
https://www.unpac.me/results/383d7b02-a63a-432e-9ed1-94084f42feec/
SH256 hash:
e47f229a874c4ee7a4d65725ebbe9cf21ad4ad8721d7b79abc9525790c658da3
MD5 hash:
cc2c1ac676c52a4aa6e6f354b371e7a3
SHA1 hash:
c3e407a669b4c808e198ece5207bd238550ba69b
Link:
https://www.unpac.me/results/383d7b02-a63a-432e-9ed1-94084f42feec/
SH256 hash:
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
MD5 hash:
f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 hash:
b058e3fcfb7b550041da16bf10d8837024c38bf6
Link:
https://www.unpac.me/results/383d7b02-a63a-432e-9ed1-94084f42feec/
SH256 hash:
e2ad7736209d62909a356248fce8e554093339b18ef3e6a989a3c278f177ad48
MD5 hash:
98a4efba4e4b566dc3d93d2d9bfcab58
SHA1 hash:
8c54ae9fcec30b2beea8b6af4ead0a76d634a536
Link:
https://www.unpac.me/results/383d7b02-a63a-432e-9ed1-94084f42feec/
SH256 hash:
8dc2be6679497994e3ddc97bc7bc1ce2b3c17ef3528b03ded6696ef198a11d10
MD5 hash:
0c44f21d4afc81cc99fac7cc35e4503a
SHA1 hash:
3d0d5c684df99a46510c0e2c0020163a9d11c08d
Link:
https://www.unpac.me/results/383d7b02-a63a-432e-9ed1-94084f42feec/
SH256 hash:
2e226715419a5882e2e14278940ee8ef0aa648a3ef7af5b3dc252674111962bc
MD5 hash:
a4dd044bcd94e9b3370ccf095b31f896
SHA1 hash:
17c78201323ab2095bc53184aa8267c9187d5173
Link:
https://www.unpac.me/results/383d7b02-a63a-432e-9ed1-94084f42feec/
SH256 hash:
08b623cdf21bcff2bb6dfe13441022ac1a604e95124e46c46795af0cbc68cbc8
MD5 hash:
de69b3981d3a5e41acb6da84c351e627
SHA1 hash:
3432cecdaedbe4bed725071107517abe1e75e64e
Link:
https://www.unpac.me/results/383d7b02-a63a-432e-9ed1-94084f42feec/
SH256 hash:
73d5eb6c6f22ecfcf0a7551bc7d518999091750b4a35207213a4358b604f3e1b
MD5 hash:
ef2cc26de59c76033a99ed6fe7b39269
SHA1 hash:
02214655b3e2ce4169120488a2126ca46d747cc7
Link:
https://www.unpac.me/results/383d7b02-a63a-432e-9ed1-94084f42feec/
SH256 hash:
8c6a95a1bf06c22224ab43bc1a1948f2cb0fd8d7089f2b828033c0fde161d2c2
MD5 hash:
d5bf01b2a316120d3d906e48e850520e
SHA1 hash:
a0e2f1caca1d35c227d231e6063d71ffe1d06322
Link:
https://www.unpac.me/results/383d7b02-a63a-432e-9ed1-94084f42feec/
SH256 hash:
8f485c0ced1df9b72c676413a4fbf7dcb0ff502cb90932cfe4430c08d8c87de5
MD5 hash:
bdb4e8663e6eb546a2bde8f8e3e9cdb4
SHA1 hash:
3750742d25938f8cab8b98c3392f6cbdfd5b6a62
Link:
https://www.unpac.me/results/383d7b02-a63a-432e-9ed1-94084f42feec/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8f485c0ced1df9b72c676413a4fbf7dcb0ff502cb90932cfe4430c08d8c87de5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLInjector04
Create hunting rule
Author:ditekSHen
Description:Detects downloader / injector
Rule name:msil_rc4
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Telegram_Links
Create hunting rule
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/351297/

Comments